Pro-Ukrainian hackers attacked the Russian national airline Aeroflot on Monday, causing massive disruptions and the cancellation of dozens of flights. They also allegedly exposed the data of all passengers, past and present. One security expert is calling it “kinetic sabotage.” Cybernews explains.
The nation’s largest airline announced “a failure in the operation of its information systems” at around 6:30 a.m. local time, according to the Russian news agency TASS.
Kremlin press secretary Dmitry Peskov attributed the IT failures to a hacker attack, calling the reports “troubling, but need to be clarified.”
“The information that we are reading in the public domain is quite alarming. The hacker threat remains for all large companies providing services to the population,” Peskov said.
Cyber-Partisans and Silent Crow claim credit
Two pro-Ukraine hacking groups have claimed responsibility for the attack – the Eastern European groups “Silent Crow” and the “Belarusian Cyber-Partisans" – both known colleagues of the IT Army of Ukraine.
The hackers boasted not just about taking control of the airline’s systems, but also gaining access to the passenger data of anyone who has ever flown with Aeroflot.
“For over a year, pro‑Ukraine actor Silent Crow allegedly infiltrated Aeroflot’s network, stole terabytes of data, and physically destroyed thousands of servers” said Steve Povolny, Senior Director of Security Research at cybersecurity firm Exabeam.
Labeling the incident as among “the most disruptive cyberattacks Russia has experienced since Ukraine’s full‑scale invasion in February 2022,” Povolny says it also demonstrates “the tremendous scale and impact that successful cyber operations can have – especially when they occur during an active armed conflict.”
Dozens of flight cancellations in a single day have stranded hundreds of passengers and inflicted tens of millions in operational and reputational damage, Povolny noted.
The Russian Ministry of Transport said early Monday that the attack forced the cancellation of 54 round-trip flights, with "the other 206 out of 260 flights scheduled for today being prepared to be made."
Additionally, dozens of other flights showed hours-long delays on the departure board for Moscow's Sheremetyevo International Airport, the nation's busiest.
"Specialists are currently working to minimize the impact on the flight schedule and to restore normal service operations," Aeroflot said. The airline is said to be prioritizing flights to the Far East, Kaliningrad, Sochi, Mineralnye Vody, and other international destinations, according to TASS.
Meantime, Aeroflot said it has brought in a team of security specialists to help remediate the damage from the attack, but did not provide a timeline for when services would be fully restored.
7,000 servers destroyed, leaks are imminent, hackers say
The Cyber-Partisans is a self-proclaimed community of anonymous hacktivists, fighting for the liberation of Belarus from the current president and dictator, Alexander Lukashenko, and the establishment of democratic rights and the rule of law in the country, according to its website.
Lukashenko, who has been the only president of Belarus since 1994, is considered a hated tyrant who has depended on Russian money and support to stay in office, allowing the Kremlin to use the nation as a launchpad in the war with Ukraine.
Listing the damages to Aeroflot's systems, the Cyber-Partisans said it began its attack on Aeroflot’s systems the night of July 27th, working through the morning of the 28th, in partnership with Silent Crow.
“By early morning, we had destroyed over 7,000 servers and workstations, databases, and internal systems” including those of senior management, it said on its website, translated from Russian.
- 🔥 Over 7 thousand servers and workstations were destroyed in the offices of Sheremetyevo, Melkisarovo and the corresponding data centers.
- 🔥 Wiped out databases and information systems CREW, Sabre, Sharepoint, Exchange, KASUD, Sirax, Sophie, CRM, ERP, 1C, security systems and other elements of the Aeroflot corporate network structure.
- 🔥 We downloaded a lot of databases, employee wiretapping, mail and much more, expect leaks!
- 🔥 We have uploaded an array of flight history databases, which can now be used upon request for independent investigations.
The group claims the operation's success in compromising “the entire infrastructure” hinged on “the fact that some company employees neglect basic password security,” and the airline’s use of "Windows XP and 2003" to run its network.
“For example, Aeroflot CEO Sergei Aleksandrovsky has not changed his password since 2022😉,” the Cyber-Partisans wrote with a winky face emoji.
A plaintext message from the group is said to have been posted on all the airline’s employee computers' screens titled “AEROFLOT KAPUT” followed by “ruskies, what's up with yebalo?” (a common slang insult), links to the two groups’ Telegram accounts, and ending with the phrase "Let's fly."
Claiming all the airline's data has been permanently “erased by a special innovative algorithm,” the Belarus hacker collective also said it was saving the “most interesting things” for themselves, including "wiretapping of employees and work emails," which it promised to “publish on the channel!”
Active since at least 2020, the Cyber-Partisans are also no stranger to carrying out major attacks for its cause, one of the most recent in May at Grodno Azot, a state owned Belarusian fertilizer company known for evading sanctions, as well as the Belarus KGB in April in which the group published a database of “40 thousand requests to the KGB from citizens of different countries in the period from September 2014 to August 2023.”
Others claimed by the collective include cyberattacks on the government’s main news and radio sites, the Belarusian State University, Russian military communication networks, the Belarus Ministry of Internal Affairs, the Belarusian Railways (used to transport Russian occupation troops), and Belarus prison cell wiretaps.
"New level of cyber impact in war"
Povolny explains that the Aeroflot attack represents a new level of cyber impact in war operations, with threat actors now “blending espionage, sabotage, and data destruction to undermine national resilience.”
The Senior security researcher says that “shutting down civilian mobility while sending a broader psychological message – in physical‑war terms – mirrors kinetic sabotage.”
It's “disrupting critical infrastructure, without a single bomb dropped,” he said.
One senior lawmaker, Anton Gorelkin, had claimed on Monday that Russia was under digital attack. "We must not forget that the war against our country is being waged on all fronts, including the digital one. And I do not rule out that the ‘hacktivists’ who claimed responsibility for the incident are in the service of unfriendly states," he said in a statement.
Moscow region, Russia ❗
undefined LX (@LXSummer1) July 28, 2025
✈️ Flight chaos at Sheremetyevo: Numerous Aeroflot flights were canceled or delayed on the morning of July 28! Aeroflot reported a so-called “service malfunction” due to issues with its information systems, though no specific cause was disclosed.… pic.twitter.com/OhnK2RQGNE
And former Aeroflot pilot and aviation expert, Andrei Litvinov, told Reuters on Monday that the incident was “a serious disaster... Okay, flight delays – you can survive that. But these are losses, huge losses for a state-owned company."
"If all the correspondence, all the corporate data is exposed – this can have very long-term consequences ... First the drones, and now they are blowing up this situation from the inside," the pilot said.
Povolny pointed out that earlier Russian cyber campaigns were much more focused on infrastructure denial and economic disruption, citing examples such as the 2015 Ukraine blackout and the 2023 Kyivstar telecom attack.
Both eventually attributed to Russia’s Sandworm group, Povolny describes the 2015 Ukrainian blackout knocking out electricity for roughly 230,000 consumers using KillDisk malware and SCADA manipulation, and the Kyivstar attack disrupting internet and mobile service for millions of Ukrainians, including air‑raid alert systems, costing some $90 million in damages.
“By contrast, the Aeroflot strike combined deep covert infiltration, physical destruction of servers, and cascading service failure affecting both domestic and international travel," Povolny said.
“From a security leader’s perspective, the Aeroflot attack reinforces the need for continuous threat hunting, network segmentation, disaster recovery planning, and collaboration across industry and government to defend critical civilian systems during wartime," he said.
Aeroflot is one of the top 20 airlines worldwide, clocking over 55.3 million flyers in 2024, according to its website. The airline said affected passengers could get a refund or rebook as soon as its systems were back up and running.
Your email address will not be published. Required fields are markedmarked